Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 186

Advertising
background image

166

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X port security configuration

Re-authenticate a user
To configure RADIUS timeout behavior to bypass multi-device port authentication and permit user
access to the network, enter commands similar to the following

Brocade(config)# interface ethernet 1/3/1
Brocade(config-if-e10000-1/3/1)# dot1x re-auth-timeout-success 60

Syntax: [no] dot1x re-auth-timeout- success seconds

The seconds parameter specifies the number of seconds the device will wait to re-authenticate a
user after a timeout. The minimum value is 10 seconds. The maximum value is 2

16

-1 (maximum

unsigned 16-bit value).

Deny user access to the network after a RADIUS timeout
To set the RADIUS timeout behavior to bypass 802.1X authentication and block user access to the
network, enter commands such as the following

Brocade(config)# interface ethernet 1/3/1
Brocade(config-if-e10000-1/3/1)# dot1x auth-timeout-action failure

Syntax: [no] dot1x auth-timeout-action failure

Once the failure timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.

NOTE

If restrict-vlan is configured along with auth-timeout-action failure, the user will be placed into a
VLAN with restricted or limited access.Refer to

“Allow user access to a restricted VLAN after a

RADIUS timeout”

on page 166.

Allow user access to a restricted VLAN after a RADIUS timeout

To set the RADIUS timeout behavior to bypass 802.1X authentication and place the user in a VLAN
with restricted or limited access, enter commands such as the following

Brocade(config)# interface ethernet 1/3/1
Brocade(config-if-e10000-1/3/1)# dot1x auth-timeout-action failure

Syntax: [no] dot1x auth-timeout-action failure

NOTE

The commands auth-fail-action restrict-vlan and auth-fail-vlanid are supported in the global dot1x
mode and are not supported at the port-level. The failure action of dot1x auth-timeout-action failure
will follow the auth-fail-action defined at the global dot1x level.

Dynamic VLAN assignment for 802.1X port configuration

When a client successfully completes the EAP authentication process, the Authentication Server
(the RADIUS server) sends the Authenticator (the Brocade device) a RADIUS Access-Accept
message that grants the client access to the network. The RADIUS Access-Accept message
contains attributes set for the user in the user's access profile on the RADIUS server.

Advertising
Popular Brands
Popular manuals